Yet another major attack (possibly the biggest since 2015) against the Magento 1 eCommerce platform over the weekend with potentially 2,000 stores breached Worldwide, according to researchers from Sansec, who broke the story. With Magento 1 now end of life some 2 months ago, how is it that attackers are still able to compromise so many stores with attacks targeting the Magento 1 platform. Well the simple answer is, many web shop owners failed to heed the warnings, and have still not replaced their out of date software, and the longer this situation remains the easier it becomes for the attackers, as no new patches will be released to fix any vulnerabilities.
One individual, under the username z3r0day, claims on a hacking forum to have a “remote code execution” exploit method, including instruction video for Magento 1 which can be purchased for $5,000. The seller is bold enough to guarantee his method due to Magento being end of life and there being no patches to stop the exploit.
If you are still running a Magento 1 eCommerce store you need to upgrade TODAY! Otherwise, a breach of your store is just around the corner.
In addition to putting your store and customers as risk of a data compromise, continuing with Magento 1 puts you in breach of your PCI DSS compliance obligations, namely requirement 6.2 "Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches."
If you require any advice or guidance with the security and compliance of your eCommerce web store, please contact 3B Data Security.
two thousand Magento stores across the world have been hacked in the largest automated campaign to date